File storage system, cache appliance, and method

ABSTRACT

A file storage system for storing data of a file received from a client includes a back-end file server in which the data is stored. The system includes a cache appliance in communication with the file server, such that the appliance stores portions of the data or attributes of the file, and uses the stored data or attributes to process file system requests received from the client, and which reads and writes data and attributes to the back-end file server independently. A system for responding to a file system protocol request in regard to a back-end server includes a token server. The system includes a plurality of cache appliances in communication with the token server, each of which receives tokens from the token server to synchronize access to data and attributes caches of the cache appliances, and reading and writing data and attributes to the back-end servers when tokens are revoked, the cache appliance having persistent storage in which data are stored, and the token server having persistent storage in which tokens are stored. A storage system includes a plurality of backend servers. The system includes a token server which grants permission to read and write file attributes and data system, and includes a plurality of cache appliances in communication with at least one of the backend servers and the token server for processing an incoming NFS request to the one backend server. Each cache appliance comprises an NFS server which converts incoming NFS requests into cache manager operations; a token client module in communication with the token server having a cache of tokens obtained from the token server; a cache manager that caches data and attributes and uses tokens from the token client module to ensure that the cached data or attributes are the most recent data or attributes, and an NFS client which sends outgoing NFS requests to the back-end file server. Methods for storing data of a file received from a client.

FIELD OF THE INVENTION

The present invention is related the data storage involving cacheappliances and back-end servers where the cache appliances operateindependently of the back end servers to which they store the data. (Asused herein, references to the “present invention” or “invention” relateto exemplary embodiments and not necessarily to every embodimentencompassed by the appended claims.) More specifically, the presentinvention is related the data storage involving cache appliances andback-end servers where the cache appliances operate independently of theback end servers to which they store the data and which use tokens tosynchronize access to data and attributes caches of the cacheappliances.

BACKGROUND OF THE INVENTION

This section is intended to introduce the reader to various aspects ofthe art that may be related to various aspects of the present invention.The following discussion is intended to provide information tofacilitate a better understanding of the present invention. Accordingly,it should be understood that statements in the following discussion areto be read in this light, and not as admissions of prior art.

Caching appliances make one or more copies of the data stored on aNetwork-attached storage (or NAS) file server, based upon the data beingrecently accessed, with the goal of accelerating access to that data, aswell as reducing the load placed on the server by the NAS clients. Butcaching appliances, in their current implementation are limited both inthe types of operations that they can offload from the back-end fileservers, and in their scalability in a data center environment.Scalability is especially important in those environments whereapplications can run on any physical system within a large cloud ofcompute servers, each acting as a NAS client, and thus where there maybe thousands, or more, clients communicating with a small number of NASfile servers. This invention addresses these scaling and performanceissues, as described below.

There have been a number of network file system caching devices releasedover the years. The first release of the Andrew file system, in 1984,performed disk-based caching, and NFS clients 20, from their first days,contained memory resident caches. The NFS/AFS translator, a product fromIBM Transarc Labs, supported caching of NFS files stored in an AFSglobal file system. All of these systems made local copies of datastored on a back-end file server (an AFS server in the NFS/AFStranslator example), and service incoming NFS requests both with theassistance of the cached data and making requests to the back-end fileserver. File system caches are partially categorized by how they processwrite operations. They operate either in write-through mode, where everyincoming write operation is forwarded back to the back-end file serverbefore being acknowledged, or in write-back mode, where incoming writeoperations may be acknowledged by the cache appliance before the data isactually written to the back-end file server. Write-through caches aresimpler, since they use simpler techniques to ensure that all caches seethe latest written data, and to ensure that in the event of multiplecrashes, no acknowledged data is ever discarded.

All of the systems discussed above perform write-through caching, toensure NFS's “close to open” semantics are met, guaranteeing that a fileopen, performed after a program writing a file closes its file, will seethe most recently written data. These systems also aggressively writedata through to the server to ensure data persistence in the event of acrash of the caching system.

Gear6 provides a pure memory cache with a global directory maintaining asingle copy of each piece of cached data in one of the clusterappliances, but it, too, writes data back to the back-end file serveraggressively, partially to ensure persistence. Gear6 appliances alsoverify that cached data is up-to-date on many references because Gear6recommends that write-heavy loads go directly to the back-end filer toimprove overall system performance.

BRIEF SUMMARY OF THE INVENTION

The present invention pertains to a file storage system for storing dataof a file received from a client. The system comprises a back-end fileserver in which the data is stored. The system comprises a cacheappliance in communication with the file server, such that the appliancestores portions of the data or attributes of the file, and uses thestored data or attributes to process file system requests received fromthe client, and which reads and writes data and attributes to theback-end file server independently.

The present invention pertains to a system for responding to a filesystem protocol request in regard to a back-end server. The systemcomprises a token server. The system comprises a plurality of cacheappliances in communication with the token server, each of whichreceives tokens from the token server to synchronize access to data andattributes caches of the cache appliances, and reading and writing dataand attributes to the back-end servers when tokens are revoked, thecache appliance having persistent storage in which data are stored, andthe token server having persistent storage in which tokens are stored.

The present invention pertains to a method for storing data of a filereceived from a client. The method comprises the steps of storingportions of the data or attributes of the file in a cache appliance.There is the step of using the stored data or attributes to process filesystem requests received from the client. There is the step of readingand writing the data and the attributes to the back-end file serverindependently.

The present invention pertains to a method for responding to a filesystem protocol request to access data stored by a back-end server. Themethod comprises the steps of receiving tokens from a token server at aplurality of cache appliances in communication with the token server.There is the step of synchronizing access to data caches and attributescaches of the cache appliances with the tokens [this step is performedby the token server]. There is the step of writing data in the datacaches and attributes in the attributes caches to a back-end server whenthe tokens are revoked, the cache appliance having persistent storage inwhich the data are stored, and the token server having persistentstorage in which tokens are stored.

The present invention pertains to a storage system. The system comprisesa plurality of backend servers. The system comprises a token serverwhich grants permission to read and write file attributes and data. Thesystem comprises a plurality of cache appliances in communication withat least one of the backend servers and the token server for processingan incoming NFS request to the one backend server. Each cache appliancecomprises an NFS server which converts incoming NFS requests into cachemanager operations; a token client module in communication with thetoken server having a cache of tokens obtained from the token server; acache manager that caches data and attributes and uses tokens from thetoken client module to ensure that the cached data or attributes are themost recent data or attributes, and an NFS client which sends outgoingNFS requests to the back-end file server.

The present invention pertains to a method for storing data. The methodcomprises the steps of processing an incoming NFS request with a cacheappliance of a plurality of cache appliances in communication with atleast one of a plurality of backend servers. Each cache appliancecomprises an NFS server which converts incoming NFS requests into cachemanager operations; a token client module in communication with thetoken server having a cache of tokens obtained from the token server; acache manager that caches data and attributes and uses tokens from thetoken client module to ensure that the cached data or attributes are themost recent data or attributes, and an NFS client which sends outgoingNFS requests to the back-end file server. There is the step of the cacheappliance's obtaining permission from a token server to read and writefile attributes and data.

This invention addresses the costs of cache validation, by means of asynchronization mechanism to ensure that all references to a cached fileare up-to-date, even when a file is written through multiple cacheappliances concurrently. The synchronization mechanism passes out“tokens” or distributed locks, to cache appliances, with lock conflictrules that trigger cache invalidations on the desired cache applianceswhen another cache appliance updates the same file. When a tokenincompatible with an already outstanding token is to be granted, theoriginal token is first revoked. When an appliance holds the correctsynchronization token, it has no need to verify the correctness of itscache by communicating with the back-end file server.

The use of these synchronization tokens also allows this invention toaddress the cache scalability issue, since the invention's ability tocoordinate the cache contents across multiple cache appliances allowsthe safe and efficient use of multiple cache appliances to cache datafrom the same back-end file server, while still providing the NFSprotocol's “close to open” synchronization semantics.

While systems like the aforementioned AFS/NFS, and a related DFS/NFStranslator used similar token-based mechanisms for coordinating thecontents of the cache contents, the extensions below greatly increasethe utility of the token management scheme.

This invention is believed to improve on the state of the art forcaching appliances, as it avoids the cost of mandatory write-throughoperations to guarantee data persistence. It does this through acombination of the use of persistent tokens to track and lock outconcurrent access to modified data, even in the presence of arbitrarysystem crashes, and the use of individual file mirroring to ensure thatall modified data is present on multiple caching appliances. Thecombination of these approaches allows the appliance completeflexibility as to when to write modified data back to the back-end fileserver.

This invention is believed to also improve on the start of the art forcaching appliances by providing a mechanism to mirror updated data andthe corresponding token state to a spare appliance, to guard against thefailure of a cache appliance with data that has not yet been written tothe back-end file server. This mechanism mirrors preferably only writetokens, and provides an even more robust and efficient mechanism fordealing with read tokens on a failed cache appliance.

This invention is believed to also improve on the state of the art incaching appliances by greatly reducing latency for operations that failto locate data and tokens in the cache, through a mechanism, describedbelow, called ghost tokens, which allow synchronization tokens to beobtained from a token server concurrently with obtaining thecorresponding file's attributes from the back-end file server in thecase of a cache miss.

This invention is believed to improve upon the state of the art forcaching appliances for accessing heavily shared files via a batch tokenmechanism. Under normal token conflict rules, every write operation thatupdates a file should invalidate the file's cached attributes in everyappliance in the cluster. However, with the batch token extension,multiple write operations can be satisfied with a single invalidationstep, allowing much higher throughput rates for accesses to heavilyshared cached files.

This invention avoids the need to store data at the back-end during thetransition from having a single write copy cached, to having multipleread copies cached, or in a transition from having a write copy cachedon one machine, to having a write copy cached at another machine, byallowing appliances to coordinate the exchange of modified data directlyfrom one cache to another by means of more sophisticated token lockingmechanism than has been used in past caching systems.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

In the accompanying drawings, the preferred embodiment of the inventionand preferred methods of practicing the invention are illustrated inwhich:

FIG. 1 is a block diagram showing the general deployment context of thepresent invention.

FIG. 2 is a block diagram of a cache appliance of the present invention.

FIG. 3 illustrates the relationship between a first cookie, a lastcookie and a cache FS file contents.

FIG. 4 is a block diagram regarding cache appliance failover.

FIG. 5 is a block diagram regarding high-availability message flow.

FIG. 6 is a representation regarding ghost tokens.

FIG. 7 is a representation regarding an exceptional case concerningghost tokens.

DETAILED DESCRIPTION OF THE INVENTION

Referring now to the drawings wherein like reference numerals refer tosimilar or identical parts throughout the several views, and morespecifically to FIGS. 1 and 2 thereof, there is shown a file storagesystem 10 for storing data of a file received from a client. The system10 comprises a back-end file server 12 in which the data is stored. Thesystem 10 comprises a cache appliance 14 in communication with the fileserver 12, such that the appliance 14 stores portions of the data orattributes of the file, and uses the stored data or attributes toprocess file system 10 requests received from the client, and whichreads and writes data and attributes to the back-end file server 12independently.

The present invention pertains to a system 10 for responding to a filesystem 10 protocol request in regard to a back-end server 12. The system10 comprises a token server 16. The system 10 comprises a plurality ofcache appliances 14 in communication with the token server 16, each ofwhich receives tokens from the token server 16 to synchronize access todata and attributes caches of the cache appliances 14, and reading andwriting data and attributes to the back-end servers 12 when tokens arerevoked, the cache appliance 14 having persistent storage in which dataare stored, and the token server 16 having persistent storage in whichtokens are stored.

Preferably, the token server 16 produces a write data token to enable acache appliance 14 to perform a write operation to data stored at theback-end server 12, and ensures that no two write data tokens aregranted over a single byte of any same file. The token server 16preferably produces write attribute tokens to enable a cache appliance14 to perform operations updating file attributes for files stored inthe back-end server 12, and ensures that no two write attribute tokensare granted for the same file, and wherein the token server 16 revokesan already granted write data or write attribute token by revoking thegranted write data or write attribute token if a new write data or writeattribute token is requested from the token server 16 and isincompatible with the already granted write attribute or write datatoken. The system 10 can include a spare token server 18 where the writedata tokens and write attribute tokens are mirrored. The system 10 caninclude another cache appliance 14 where modified data and modifiedattributes are persistently stored.

Preferably, the token server 16 produces read data tokens and readattribute tokens that have a per token expiration time which allows themto be unilaterally revoked by the token server 16 after the expirationtime has passed. The token server 16 preferably produces ownershiptokens for the cache appliance 14 for the file's attributes and data,and data and attributes associated with the ownership tokens areretrieved directly from the cache appliance 14 having the ownershiptoken.

The token server 16 can produce a ghost token persisting for a timeperiod during which the token server 16 indicates a last time in which awrite data or attribute token was held for the file. The token server 16can produce batch tokens to reduce communication with the token server16 for shared files. Dual logs, or a circular log, can be used to storetokens persistently at the token server 16. A token server 16 can bechosen by a function including a file handle as a parameter, which mapsthe file handle to a plurality of token servers 16, with a plurality oftoken servers 16 in communication with the plurality of cache appliances14. The protocol used to communicate with the back-end file server 12can be NFS.

The present invention pertains to a method for storing data of a filereceived from a client. The method comprises the steps of storingportions of the data or attributes of the file in a cache appliance 14.There is the step of using the stored data or attributes to process filesystem 10 requests received from the client. There is the step ofreading and writing the data and the attributes to the back-end fileserver 12 independently of the back-end server 12.

The present invention pertains to a method for responding to a filesystem 10 protocol request pertaining to file data or attributes storedat a back-end server 12. The method comprises the steps of receivingtokens from a token server 16 at a plurality of cache appliances 14 incommunication with the token server 16. There is the step ofsynchronizing access to data caches and attributes caches of the cacheappliances 14 with the tokens. There is the step of writing data in thedata caches and attributes in the attributes caches to a back-end server12 when the tokens are revoked, the cache appliance 14 having persistentstorage in which the data are stored, and the token server 16 havingpersistent storage in which tokens are stored.

There is preferably the step of producing a write data token by thetoken server 16 for files stored at the back-end server 12 to enable acache appliance 14 to perform write operations locally, the token server16 ensuring that no two write data tokens are granted over a single byteof any same file. Preferably, there is the step of producing writeattribute tokens by the token server 16 for files stored in the back-endserver 12, the token server 16 ensuring that no two write attributetokens are granted for the same file. There is preferably the step ofthe token server 16 revoking an already granted write data or writeattribute token by recalling the granted write data or write attributetoken if a new write data or write attribute token is requested from thetoken server 16 and is incompatible with the already granted writeattribute or write data token.

There can be the step of mirroring in a spare token server 18 the writedata tokens and write attribute tokens. There can be the step ofpersistently storing in another cache appliance 14 modified data andmodified attributes. There can be the step of producing with the tokenserver 16 read data tokens and read attribute tokens that have a pertoken expiration times which allows them to be unilaterally revoked bythe token server 16 after the expiration time has passed. There can bethe step of producing with the token server 16 ownership tokens for thecache appliance 14 for the file's attributes and data. There can be thestep of retrieving directly from the cache appliance 14 data andattributes associated with file associated with the ownership token.

There can be the step of the token server 16 producing a ghost tokenpersisting for a time period during which the token server 16 indicatesa last time at which a write data or attribute token was held for thefile. There can be the step of the token server 16 producing batchtokens to reduce communication with the token server 16 for sharedfiles. There can be the step of choosing the token server 16 by afunction which includes a file handle as a parameter, which maps thefile handle to a plurality of token servers 16. There can be the stepsof leasing the read data tokens and read attribute tokens andautomatically revoking when their lease expires.

The present invention pertains to a storage system 10. The system 10comprises a plurality of backend servers 12. The system 10 comprises atoken server 16 which grants permission to read and write fileattributes and data. The system 10 comprises a plurality of cacheappliances 14 in communication with at least one of the back-end servers12 and the token server 16 for processing an incoming NFS request to theone back-end server 12. Each cache appliance 14 comprises an NFS serverwhich converts incoming NFS requests into cache manager 22 operations; atoken client 24 module in communication with the token server 16 havinga cache of tokens obtained from the token server 16; a cache manager 22that caches data and attributes and uses tokens from the token client 24module to ensure that the cached data or attributes are the most recentdata or attributes, and an NFS client 20 which sends outgoing NFSrequests to the back-end file server 12.

Preferably, the system 10 includes a cache file system in communicationwith the cache manager 22 which stores copies of file attributes andfile data and directory listing information. The system 10 preferablyincludes a C2C 28 interface which accesses data and attributes in othercache appliances 14.

The NFS server element is a module that receives incoming NFS requests(as described by IETF RFC 1813) from the clients, and calls into thecache manager 22 module to perform the underlying operation. The NFSclient 20 element is a module that sends outgoing NFS requests to theback-end file server 12, in order to read data into the cache from theback-end file server 12, to write data to the back-end file server 12from the cache, or to perform directory reading or modifying operationsto the back-end file server 12 on behalf of the cache appliance 14.

The present invention pertains to a method for storing data. The methodcomprises the steps of processing an incoming NFS request with a cacheappliance of a plurality of cache appliances 14 communicating with atleast one of a plurality of back-end servers 12. Each cache appliance 14comprises an NFS server which converts incoming NFS requests into cachemanager 22 operations; a token client 24 module in communication withthe token server 16 having a cache of tokens obtained from the tokenserver 16; a cache manager 22 that caches data and attributes and usestokens from the token client 24 module to ensure that the cached data orattributes are the most recent data or attributes, and an NFS client 20which sends outgoing NFS requests to the back-end file server 12. Thereis the step of obtaining permission by the cache appliance 14 from atoken server 16 to read and write file attributes and data.

Preferably, there is the step of storing copies of file attributes andfile data and directory listing information in a cache file system incommunication with the cache manager 22. There is preferably the step ofaccessing data and attributes in other cache appliances 14 using a C2C28 interface of the cache appliance 14.

In the operation of the invention, a clustered caching appliance 14 isdeployed, as shown in FIG. 1.

In FIG. 1, requests arrive at a collection of cache appliances 14 from acollection of NFS clients 20, each communicating using the NFS protocol,and each accessing a cache appliance 14 with connectivity to severalback-end NFS file servers. When a request arrives at a cache appliance14, if the data and attributes being accessed is present in thatappliance 14, and the request is a read operation of some form (that is,an operation that does not change the data it accesses), then therequest is handled by that appliance 14 directly, without theparticipation of the back-end file servers 12.

Write requests are more complex. A write request, updating either afile's attributes or data, should simultaneously invalidate any cachedcopies of the data it is about to update elsewhere in the cacheappliance 14 collection, and update the data locally within the cacheappliance 14. In addition, there are redundancy modes that may have beenconfigured that desire sending a copy of the data to one or more othercache appliances 14.

Furthermore, the appliance 14 administrator may have configured a policyconcerning how much, or how long, modified data may be stored in acaching appliance 14 before the cache appliance 14 should write themodifications back to the back-end server 12. These policies may requirethe cache appliance 14 to immediately write some subset of data back toits home in the back-end server 12 before completing the write request.

Finally, the system 10 may be configured for high availability (HA)operation, in which the loss of a cache appliance 14 should be hiddenfrom the accessing NFS client 20. When configured for HA operation,every update, including every write operation, should be propagated to asecond cache appliance 14 before the update operation is acknowledged.

As noted above, multiple copies of the same data may be present inmultiple cache appliances 14, and this invention provides a mechanism toensure cache coherence when data is updated at a cache appliance 14.This mechanism is a token-based cache synchronization mechanism, withspecific tokens representing the right to read or write either aparticular file's attributes, or a byte range of the file's data; inaddition, there are attribute tokens called batch tokens designed tohandle multiple concurrent writers, and which are described below. Allof these tokens are issued by a token server 16, with a token server 16group consisting of a single token server 16, plus any number of standbytoken servers 16, coordinating access to a predetermined collection offiles. This invention may make use of multiple token server 16 groups;for example, the system 10 may choose to divide the entire set of cachedfiles into multiple groups based on a random hash on the files' filehandles.

The token server 16 ensures that no two data tokens are granted over thesame byte of the same file, unless they are both read tokens, and thatno two attribute tokens are granted for the same file unless they areboth read tokens. If a token is requested from a token server 16, andthe new token is incompatible with an already granted token, the tokenserver 16 revokes the already granted token by calling back to the ownerof the outstanding token, and requesting that it return the incompatibletoken.

Write tokens are also stored persistently, to ensure that in the eventof the crash of an arbitrary number of cache appliances 14 and tokenservers 16, no appliance 14 can read or update modified data whose onlycopy resides on a failed cache appliance 14. To improve overall system10 availability these write tokens may be mirrored to a spare tokenserver 18, while the modified data may be simultaneously mirrored toanother cache appliance 14, to ensure that the data and its relatedtokens are available after the loss of a cache appliance 14. Becauseboth write tokens and modified data are stored persistently, theinvention never loses track of modified data, no matter how many system10 restarts occur. This allows the cache appliance 14 great latitude tochoose the best time to write data to the back-end file servers 12.

Note that read tokens are treated significantly differently from writetokens. While write tokens are stored persistently and without anyexpiration time, read tokens need not be stored persistently, and areassociated with a per-token expiration time, so that if a communicationor node failure occurs, all read tokens granted to a cache appliance 14can be unilaterally revoked by the token server 16 after the expirationtime passes. This difference in token treatment in the presence of cacheappliance 14 failures greatly reduces the impact of a cache appliance 14failure on the system 10, since after a short timeout, tokensconflicting with previously outstanding read tokens can be grantedagain.

The invention also makes an improvement over the state of the art in thecase where file sharing between cache appliances 14 is occurring. Whenone cache appliance 14 reads data cached and modified by anotherappliance 14, in current state of the art systems, the cache appliance14 holding modified data should store the data back to the back-end fileserver 12 before the second appliance 14 can serve the data to itsclient. In this invention, however, there is the concept of an ownershiptoken, at the same granularity as a write token. When an appliance 14holds an ownership token, whether for a file's attributes, or for asubset of its data, the other appliances 14 know to retrieve the datacovered by the token directly from the “owning” appliance 14 instead offrom the back-end server 12. Thus, a cache appliance 14 holding modifieddata could, upon a revoke of the write token, simply exchange the writetoken for an ownership token, instead of writing the data back to theback-end file server 12. From that point on, the cache appliance 14holding the modified data would be unable to make further changes to thecovered data. Another cache appliance 14 reading that data could get aread token, and then read the data from the appliance 14 holding theownership token, avoiding communication with the back-end file server 12entirely.

Through the use of the ownership tokens described by this invention,there is no strict requirement to store data to the back-end file server12 at any given time, allowing the performance of the combined cache andback-end file server 12 for both reading and writing user data to becompletely determined by the performance of the cache appliances 14alone. This is a significant improvement in the state of the art ofdistributed file system 10 caching.

FIG. 2 shows a detailed modular decomposition of the cache appliance 14.A separate token server 16 module is shown, but the token server 16actually runs in the preferred implementation on several of the cacheappliance 14 systems, as a separate process on the same machine.

The NFS server (NS) module is an implementation of the server side ofthe NFS protocol, as specified by the IETF's RFC 1813, available fromthe IETF at ietf.org, and implemented in OpenSolaris, FreeBSD and otheropen operating systems. These implementations are written to and providea virtual file system “vnode” interface, and can be used directly inthis invention.

Similarly, the NFS client 20 (NC) module is a straightforwardimplementation of the client side of the same NFS protocol, as found inOpen Solaris, FreeBSD or other operating systems. It receives callsusing the standard vnode interface present in OpenSolaris, FreeBSD orother operating systems, and sends out NFS RPC calls to the back-end NFSfile server.

The cache file system 26 (also called CFS or Cache FS) is astraightforward local file system, storing file attributes and filedata, as well as directory listing information, for the cache appliance14. It can be implemented on top of any local file system present in theFreeBSD or OpenSolaris kernel, including the UFS or FFS file systems. Anextra bit per cached file can be stored, in the Unix mode bits, toindicate whether the data stored in the file is dirty (i.e. has beenmodified locally and thus is to be stored back to the back-end fileserver 12 at some point), or is clean, and can be discarded by the cacheappliance 14 at any time necessary to free up space in the cacheappliance 14. The cache file system 26 stores two types of information,file attributes, and file data. File attributes are stored in a filenamed “A<filehandle>” where “A” is the letter ‘A’, and <filehandle> isthe NFS file handle of the file whose attributes are being cachedrepresented as a hexadecimal number. The contents of this file store thefile attributes described in the NFS specification, along with a dirtybit for each field indicating whether the particular attribute is to bestored back at the back-end file server 12. File data is broken downinto chunks of data, the size of which can be chosen dynamically, atypical size being 1 MB. Data chunks are stored in separate files, eachnamed “D<offset>.<filehandle>”. There is a dirty bit for each chunk,stored in the Unix mode bits (the “1” bit of st_mode), which indicatesthat the data in this chunk is to be stored back to the back-end fileserver 12. The files in this file system are not accessed directly byNFS, but instead this data is used by the cache manager 22 (CM) moduledescribed below, when incoming requests are handled. Each data chunkalso stores a datamod time, initially equal to the modification time forthe file at the time the chunk was or written from the back-end fileserver 12.

This invention uses tokens to coordinate the actions of multiple cacheappliances 14 accessing the same data from the back-end file server 12.Since multiple cache appliances 14 can cache the same data, theinvention should ensure that different appliances 14 do not makemodifications to the same data at the same time, generating competingversions each missing the other's updates. The invention should alsoensure that one appliance 14 does not accept an update to some datawhile an old version of that same data is returned by another appliance14 to its clients. Thus, most simply, a token manager will allow, for aparticular type of data at a given instant of time, either one appliance14 to make updates to its cache of that data, or multiple appliances 14to read its cache of that data.

The TKC 24 module is a simple cache of the tokens used by this cacheappliance 14, obtained from the cluster's token servers 16. Tokens inthis cache can be located by file handle, token client 24 ID, or tokenID, and separate hash tables are used to provide efficient access usingany of these keys. These tokens are stored non-persistently. To avoidcreating a network-wide bottleneck at the token server 16, thefile-handle space is divided among a set of independent token servers 16using a static hash function that gives the identity of the system 10running the token server 16 for that file handle (and many other filehandles as well). The tokens obtained by the TKC 24 module fall into oneof several types:

-   -   Attribute tokens, tagged by file handle. These come in sub-types        for read, write, ownership, batch read and batch write.    -   Data tokens, tagged by file handle and byte range. These come in        sub-types for read, write and ownership.

These tokens need not be stored persistently at the TKC 24, since alltokens are stored persistently at the TKS anyway, where they can beretrieved by the TKC 24 if necessary.

Tokens are labeled with an owning token client ID (CLID), a 128 bitUniversally Unique Identifier (UUID) that typically indicates whichcache appliance 14 obtained the token. Each token also has another 128bit UUID that represents the specific token instance itself. Tokensfunction as distributed locks, and should only be granted if there areno incompatible tokens already outstanding. If a cache appliance 14desires a new token that is incompatible with one or more outstandingtokens, the existing conflicting tokens should be revoked before the newtoken can be granted. Some tokens are associated with a “lease” (anexpiration time). If the cache appliance 14 doesn't renew its leasebased on its CLID, all tokens sharing that lease are released, and theclient should subsequently obtain tokens using a new CLID. Other tokensare not associated with a lease, and are never released unless theirowner releases them explicitly.

The compatibility rules for tokens are as follows:

-   -   tokens with the same CLID are always compatible    -   tokens applying to different file handles are always compatible    -   read attribute tokens are compatible with other read attribute        tokens and ownership tokens, but not with write attribute tokens    -   write attribute tokens are not compatible with ownership, write        or read attribute tokens    -   ownership attribute tokens are compatible with all tokens except        for write attribute and other ownership attribute tokens    -   read data tokens are compatible with other read and ownership        tokens, but not with write tokens, for the same file and an        overlapping byte range    -   write data tokens are not compatible with ownership, read or        other write tokens with overlapping byte ranges    -   ownership data tokens are compatible with all other data tokens        except for write data tokens and other ownership data tokens,        with an overlapping byte range

Batch tokens do not change the entries in the table above, but add moreentries; these are described more fully below.

All read data and read attribute tokens are leased, and areautomatically revoked if the lease expires. Ownership and write tokens(including batch write tokens), on the other hand, should be explicitlyreturned, often after a revoke, before the token server 16 (TKS) cangrant incompatible tokens to other token clients.

The CM 22 module is responsible for caching data and attributes at thecache appliance 14, storing a copy of this information in the cache filesystem 26 (CFS), communicating with the token servers 16 (TKSes) usingthe TKC 24 module to ensure that the cached data and attributes are themost recent available. In those cases where the latest copies of thedata or attributes are stored at the back-end file server 12, the CM 22uses the NC 20 module to communicate with the back-end file server 12 toread the data using the NFS protocol. In those cases where the latestcopies of the data or attributes are stored in another cache appliance14, the CM 22 module makes remote procedure calls to the cache-to-cachecommunications module (C2C) on the cache appliance 14 holding the data,to obtain the latest data or attributes.

The cache manager 22 module (CM) makes use of the tokens obtained fromthe token server 16 to synchronize its operation with cache manager 22instances running in other cache appliances 14. The CM 22 caches filesby dividing them into independently managed pieces—basically, fileattributes, and file data for various non-overlapping byte ranges.Typically, an operation that reads attributes first obtains readattribute tokens, and an operation that reads a range of data firstobtains read attribute tokens and a read data token covering the desiredrange. Similarly, an operation that modifies a file's attributes firstobtains write attribute tokens, and an operation that modifies a rangeof data first obtains both write attribute and write data tokens for thecorresponding file. For example, a CM 22 processing an NFS readoperation obtains read attribute tokens for the file, and read datatokens for the range of the file being read. In one embodiment of theinvention, file data is managed in fixed sized chunks, and read andwrite data tokens are obtained on entire chunks whenever any bytes inthat range are read or written, respectively. Once the example readoperation has obtained the requisite tokens, it can perform theoperation locally, safe in the assurance that any operation on any cacheappliance 14 that would affect any of the data being accessed by theread operation will be delayed until the read attribute and read datatokens can be revoked, which will not occur until the CM 22 hascompleted its read operation.

The CM's 22 operations, and how they work with the CFS 26, TKC 24 and NC20 modules are now described. Note that these operations are slightlymodified by optimizations based on ghost tokens and batch tokens, asdescribed more fully below.

In many of these operations, cached file data and cached directoryentries are tagged by a cached mtime value, indicating the mtime at theback-end file server 12 at the time the data or directory entry wasretrieved from the back-end server 12. This value may be used invalidating cache entries against the back-end file server 12 in thosecases where synchronization tokens are not held continuously from thetime the data is read from the back-end server 12 until the time thedata is used by the cache appliance 14.

The operations of an individual cache manager 22 are now described:

The cm_getattr operation retrieves the attributes of a file, given itsfile handle. It first consults the TKC 24 module to see if the cacheappliance 14 already has a read or write attribute token for this filehandle, and consults the CFS 26 module to see if the file's attributesare present in the cache. If both conditions are true, the CM 22 simplyreturns the attributes from the CFS 26 file, and the operation iscomplete. Otherwise, if the TKC 24 doesn't have either a read or writeattribute token, the CM 22 requests a read attribute token if necessary,which will cause TKC 24 to call the TKS to obtain at least a readattribute token (and any other token that can be granted withoutconflicting with an extant token for the same file). Once the TKC 24 hasat least a read attribute token, and if there is no outstandingownership attribute token for this file, then the CM 22 calls the NC 20module to obtain the actual file attributes from the back-end fileserver 12, otherwise, when an ownership attribute token is present, theCM 22 calls C2C 28 module in the cache appliance 14 holding theownership token. Once the attributes have been obtained, the CM 22writes those attributes locally to the CFS 26 for future use.

The cm_read operation works very similarly to the cm_getattr operation,except that the CM 22 uses the TKC 24 to hold a read attribute token, asin cm_getattr, and a read data token on the chunk or chunks of the fileaffected by the read operation. If the tokens are present in the TKC 24module, and the attributes and data are both present in the CFS 26 file,then the operation is performed locally without any involvement of theTKS or NC 20 modules. Otherwise, if the tokens are not present, the TKC24 obtains from the TKS a read attribute token for the file, and one ormore read data tokens for the chunks spanning the range of data read bythe operation. Once the read attribute token is present, the CM 22obtains current attributes from the back-end server 12, or from thecache appliance 14 having an owner attribute token. Once the attributesare present, the cache data file, if present, is checked for validity bycomparing the cache file's datamod time field with the currentmodification time obtained from the back-end server 12. If the file'sdatamod time field matches the current attribute's modification time,then the data can be used directly from the cache. Otherwise, the CM 22obtains the data from the back-end file server 12. If, after havingobtained the desired tokens, valid data is not present in the cache,then if there are no outstanding ownership data tokens for this file,the CM 22 reads any missing data from the back-end file server 12 usingthe NC 20 module, otherwise, the CM 22 reads the data from the C2C 28module in the cache appliance 14 holding the ownership token. Theretrieved data, no matter what its source, is written to thecorresponding attribute or data chunk CFS 26 file to handle futureaccesses. Note that as described above, data is considered present inthe cache if the file's datamod time in the cache matches the file'smodification time at the back-end file server 12, as checked whileholding at least a read attribute token, or if a read or write datatoken has been held continuously since the data either was read from theback-end file server 12, or read from another cache appliance 14.

Changing the attributes of a file is done with the cm_setattr operation.The operation proceeds like cm_getattr, except that the token desired isa write attribute token instead of a read attribute token, giving the CM22 the right to modify attributes in its cache. If the attributes andtokens are present in the cache, the cm_setattr operation simply updatesthe attributes in the cache and returns. If the desired tokens are notpresent in the cache, the CM 22 calls the TKC 24 to obtain a writeattribute token (and a write data token if the call is changing the filelength as well). Next, the attributes are retrieved from the back-endfile server 12, if no cache appliance 14 holds an ownership token, orfrom the C2C 28 module on the owning appliance 14, if there is anoutstanding ownership token. After the attributes are retrieved, theyare written to the local CFS 26 file, and then updated as per thecm_setattr request. If the cm_setattr operation truncates the file, thecached data chunks are also truncated if necessary, and write datatokens are also obtained for the relevant range of the file. After theoperation completes, the TKC 24 still holds a write attribute token (andpossibly one or more write data tokens, for a cm_setattr call thatchanges the file length), and the attributes are still cached in the CFS26 inode.

Data is written to a file using the cm_write operation. The operationbegins by obtaining a write attribute token, and a set of write datatokens covering the set of chunks affected by the write operation. Thecm_write operation then reads, by calling cm_read, any data chunks thatwill not be completely overwritten by the cm_write call. The cm_writeoperation then updates the CFS 26 files with the updated data, andupdates the file's mtime, ctime and atime with the present time (or anexplicit value passed into the cm_write call). If the desired writeattribute and write data tokens are not present at the start of theoperation, they are first obtained by calling the TKC 24 module toobtain the tokens from the TKS. An optimization is described furtherbelow for using batch write tokens to allow multiple writers to updatethe same file without transferring ownership of the write attributestoken between cache appliances 14 on every write operation.

The cm_lookup operation determines, based on the incoming directory filehandle, and desired file name, the file handle and attributes associatedwith the incoming file. The lookup operation does this by getting readattribute and read data tokens on the relevant directory, and thenconsulting its local Dynamic Name Lookup Cache (DNLC). The DNLC stores aset of entries mapping (directory file handle, directory datamod time,file name) tuples into target file handles. If an entry is found in theDNLC while the directory's read data tokens are held, or the directory'sread attribute tokens are held, and the mtime of the directory matchesthe datamod of the DNLC entry, then the target file handle can bedetermined using the cache. If a usable entry is found, the cm_lookupoperation next obtains the target file's attributes, which it does bycalling cm_getattr on the target file handle to get those attributes. Ifthe desired directory tokens are not present in the TKC 24 at the startof the operation, then the cm_lookup code asks the TKC 24 to obtain thetokens. Afterwards, it consults the DNLC to see if there is a DNLC entrywith its datamod time matching the directory's current mtime (indicatingthat the cache data is still up-to-date). If the datamod time in the DLCentry matches the mtime in the directory's attributes, the cm_lookupoperation can use the DNLC entry, otherwise, the CM 22 calls theback-end file server 12 via the NC 20 module to perform the lookupoperation (while still holding the directory's read data and readattribute tokens). Once this NFS operation completes, a new DNLC entryis created holding the lookup results. Again, the operation would finishby calling cm_getattr. Also note that the DNLC consulted by thecm_lookup operation can also store a number of “negative” entries, saidentries indicating that the file does not exist at the back-end fileserver 12.

There are a number of CM 22 operations, structured similarly to oneanother, that perform directory modifications. These operations arecm_remove for deleting a file, cm_link to create a hard link to analready existing file, cm_mkdir for creating a directory, cm_rmdir forremoving a directory, cm_symlink for creating a symbolic link, andcm_rename for renaming a file or directory.

The cm_remove call works by first obtaining a write attribute and writedata token on the directory containing the file or directory beingdeleted, and then performing a cm_lookup operation to determine theidentity of the file or directory being deleted. This cm_lookup willoperate from the cache if possible, but may have to contact the back-endfile server 12 to get the file handle of the target object if therelevant DNLC entry is not present in the cache. After the identity ofthe target file has been determined, the CM 22 obtains a write attributetoken on the target object, and then CM 22 sends an NFS unlink to removethe object. Note that the object may have a hard link count >1, in whichcase getting the write attribute token on the deleted file is necessaryto ensure that all cache appliances 14 in the cluster see the new linkcount for the still extant file.

The cm_rmdir call works nearly identically, except that sincedirectories do not have hard links to them, there is no concern aboutthe state of the deleted directory after the rmdir operation completes.Thus, cm_rmdir can simply get write attribute and write data tokens onthe parent directory (which will force the invalidation of DNLC entrieson other cache appliances 14), and then perform the NFS rmdir operationto the back-end file server 12.

The cm_link call creates a new directory entry for an already existingfile. It operates by getting a write attribute token and a write datatoken for the parent directory, and a write attribute token for thetarget file, since the target's link count will change. It then sends anNFS link call to the back-end file server 12, and updates the CFS 26cache with the updated directory and file attributes received from theNFS call's return parameters.

A number of CM 22 calls create new files, directories or symbolic links(cm_create, cm_mkdir and cm_symlink). All of these operations work invirtually the same manner. Each begins by obtaining a write attributeand write data token on the parent directory. Next, each makes a call tothe back-end file server 12 to actually create the target object. Oncethe operation completes, the calling operation has the file handle forthe newly created object, as well as its attributes, and the updateddirectory's attributes. The DNLC can be updated, since the CM 22 has awrite data token on the parent directory, and the directory's attributecache can be updated in the CFS 26. The attributes returned for the newobject can be used directly, since no other client will have been ableto access the newly created object while the parent directory's writedata token is held by the cache appliance 14 creating the new object.

The cm_rename operation is the most complex operation, as it combinesthe most complex elements of the cm_link and cm_remove operations. Mostgenerally, a cm_rename operation affects four objects, a source andtarget object, and the source and parent directories containing thoseobjects. The cm_rename operation deletes the target of the renameoperation, if it already exists. Furthermore, if that target exists, isnot a directory, and has hard links to it, the CM updates the target'sattributes to include its updated link count. Finally, if the objectrenamed is a directory, and the source and target directories differ,the “. .” pointer within the renamed directory is updated.

Thus, a cm_rename operation begins by obtaining write data and writeattribute tokens for both the source and target directories, and thenlooking up (via cm_lookup) both the source and target objects; note thatthe cm_lookup operation also gets at least read attribute tokens on thesource and target objects as well. The CM 22 then concurrently performsthe rename operation at the back-end file server 12. The specific tokensdesired on the source and target objects depend upon the type of theobjects affected by the NFS rename operation is sent to the back-end. Ifthe source object is a file, no additional tokens are needed on it, andif the target object is a directory, or a file with link count 1, the CM22 also does not need additional tokens on the target. If the targetobject is a file with a link count >1, then the CM 22 uses a writeattributes token on the target, since the link count will bedecremented. And if the source object is a directory and the source andtarget directories differ, then the CM 22 uses a write attribute andwrite data token on the source object, since its “. .” name entry willbe updated by the cm_rename operation, changing both its contents andits mtime.

The cm_readdir operation reads the contents of a directory, returning aset of directory entries, each of which contains a file name, a file ID,and an opaque pointer to the next entry, which, if passed in a newcm_readdir call, will continue the enumeration at the next entry in thedirectory. The contents of a readdir entry are described in more detailin the IETF's RFC 1813 describing NFS version 3. The cm_readdir callbegins by calling the TKC 24 module to get read attribute and read datatokens on the target directory. The cm_readdir code maintains acontiguous set of directory entries in a CFS 26 cache file, along withthe cookie value used to read the first entry stored in the CFS 26 file,and the cookie value stored in the last entry in the CFS 26 file.

The cm_readdir call then works as follows. Upon receiving a readdircall, first it is desired to ensure that there is a read attribute andread data token for the directory. Then, given an incoming cm_readdircall with a specified readdir cookie, it is checked to see if theincoming cookie matches the CFS 26 file's base cookie value (which willusually be 0, for a directory enumeration cached in its entirety). If itdoes match, cm_readdir can start returning entries directly from thestart of the CFS 26 cache file, continuing for as many entries as thecaller requested. Similarly, if incoming readdir call's cookie valuematches the cookie value of the last entry in the CFS 26 file, then ifthe EOF flag is set, the operation completes locally by also returningEOF to the cm_readdir's caller. If the EOF flag is not set, thecm_readdir code continues reading the directory at the end of the CFS 26file, using the cookie value of the last entry in the CFS 26 file. Ifneither of these tests match the incoming cookie value, the cm_readdircode discards the contents of the CFS 26 cache file, and starts readingthe directory at the specified cookie offset, filling the data from theback-end file server 12. An alternative implementation could search thecached directory entries for the specified cookie offset before going tothe back-end server 12, retrieving the data from the cache if the cookieis located anywhere within the CFS 26 cache file.

FIG. 3 illustrates the relationship between the first cookie, lastcookie and the CFS 26 file contents. The back-end file server 12 storesa directory addressed by opaque (to the cache appliance 14) cookievalues, illustrated as 0, 1000, 3000, 5000, 7000, and 9000. The CFS 26file stores the segment of directory entries retrieved by doing NFSreaddir operations to the back-end server 12 starting at the server'scookie value of 3000, up to a cookie value of 8000. Note that when anyNFS clients 20 send cm_readdir operations that desire reading past theend of the CFS 26 file at offset 4000, then the cm_readdir call willcontinue filling the CFS 26 file by calling the NC 20 to make an NFSreaddir call with an NFS server cookie of 8000 (from the “last cookie”field in FIG. 3).

The C2C 28 interface provides a mechanism for one cache appliance 14 toaccess data and attributes stored in another cache appliance 14. Itconsists of simplified versions of NFS read, NFS write, NFS getattr andNFS setattr, with the simplification that when a C2C 28 operation callsinto special versions of cm_getattr, cm_setattr, cm_read and cm_writethat do not call into the TKC 24 module to obtain tokens, but insteadjust read or write the appropriate information in the appropriate CFS 26files. The appropriate tokens effectively have already been obtained bythe cache appliance 14 calling the C2C 28 functions.

There are no C2C 28 operations required for directory manipulatingoperations, since those operations are always performed to the back-endfile server 12.

After a node fails and restarts, the restarted cache appliance's TKC 24module will locate its TKCID in its persistent storage, but the TKC 24will not know what tokens are owned by that TKCID, since the token stateitself is stored persistently at the TKS. The CM 22 node then searchesthe local cache for modified data, which is to be protected by a writeattribute and/or write data token; this is done simply by searching thecache file system 26 (CFS) for modified files (recall, indicated via the1 bit in the Unix mode bits). The CM 22 then requests that the TKC 24reclaim the tokens held for those files, which the TKS can do by simplysearching its database for tokens owned by the TKCID for the specifiedfiles. The TKS will then return the token IDs to the TKC 24, possiblythrough multiple RPCs between the TKC 24 and the TKS. This process willbe repeated in the background for all dirty data found in the cacheappliance's 14 cache.

When a token server 16 fails, it simply restarts, and reloads the set ofpersistent tokens (typically write tokens) from its persistent storage.At the same time, all existing leases are canceled, so that thelease-based tokens (typically, read tokens) are all discarded by thetoken client 24 modules in the cache appliances 14.

Many storage systems provide a high availability operating mode wherethe loss of any single node can be weathered without any significantservice outage. The following describes how this invention handles theloss of a cache appliance 14 and/or a token server 16, when configuredfor high availability (or HA) operation.

When a cache appliance 14 is configured in HA mode, it passes an orderedstream of data updates to a designated secondary system, which storesthose updates in case the secondary system is to take over for thefailed appliance 14. Each update consists of an opcode, in this casespecifying a write operation, a file handle, a 64 bit byte offset, and a32 bit byte count, followed by “count” bytes representing the modifieddata. These entries are written to a dedicated CFS 26 file system at thesecondary appliance 14—this update should occur before the primaryappliance 14 can respond to the client system. Note that an appliance 14may be functioning as a primary caching appliance 14 performing incomingfile system 10 operations, and simultaneously as a secondary appliance14 for another caching appliance 14.

FIG. 4 shows the data flow in appliance 14 failover. The appliances 14are comprised of the same components as illustrated in FIG. 2, exceptthat there are now two CFS 26 instances in each appliance 14, oneholding the data cached by the system 10 (labeled “primary”) and oneholding a copy of the modified data from its failover partner (labeled“aux”). The dashed arrows show the flow of updated data from the primaryCFS 26 instance to its auxiliary CFS 26 instance.

Aside from propagating updates from the primary node to the secondary,the primary node also is to send an indication to the secondary whendirty data has been cleaned (written back to the back-end file server12). This information is passed to the secondary by passing a “clean”opcode, a file handle, a 64 bit offset and a 64 bit count, indicatingthat all bytes in the specified range are now clean, and can bediscarded from the secondary if necessary. The clean operation may bepassed from the primary to the secondary any time after the data isactually cleaned, but the clean operation should be sent before the datain the same range is updated by the primary again.

When an HA primary/secondary relationship is established, the primaryappliance 14 sends the secondary appliance 14 its TKCID. Once a primaryfailure occurs, the secondary appliance 14 communicates with the TKSthat the secondary is taking over responsibility for the failed node'sTKCID. The secondary node then locates its copy of the primary node'sdirty data, and requests new tokens, owned by the secondary node's ownTKCID, to replace the tokens owned by the failed primary system's TKCID.Until this process completes, the secondary may also see token revokesfor tokens owned by the primary's original TKCID. The processing of arevoke received for tokens owned by the primary's original TKCID worksthe same as normal token revoke processing—any covered data is storedback to the back-end file server 12. New tokens obtained by thesecondary for the primary system's data are obtained using its ownTKCID, not the primary's original TKCID. Note that the secondary cancontinue to use the primary's TKCID to protect data received from theprimary for as long as it wants, and gets a new TKCID for new writeoperations.

When a cache appliance 14 restarts, it locates the dirty data andattributes in its cache, as described above, and tries to regain thetokens it had with its original TKCID and covering the data orattributes in question; this original TKCID is stored in stable storageon both the primary and secondary nodes for this purpose. The tokenswill still be available if no secondary has taken over for this node;otherwise, the tokens with the original node's TKCID will have beenrevoked when the secondary took over for the primary. In the case wherethe secondary node took over for the primary, the recovering primary'sattempts to reclaim those tokens will fail, causing the recoveringprimary to invalidate that portion of its cache holding the dirty dataand attributes. In effect, the TKS acts as the definitive authorityduring a failover, indicating which cache appliance 14 has ownership ofmodified data in any cache appliance 14.

FIG. 5 shows the message flow within a cache appliance 14, and between acache appliance 14 and its failover partner, when handling a user datawrite operation. In step 1, the system 10 receives an NFS writeoperation from the network, which is translated into a cm_write call tothe cache manager 22. Next, in step 2, cm_write function calls the CFS26 module's write function, which does two things: it copies the datainto its own non-volatile disk buffers, and it transfers the data to theCFS 26 module on the secondary system (step 3). Now that the data ispersistently stored on two separate systems, the cm_write callcompletes, allowing a response for the original NFS write to be sent tothe NFS client 20 (step 4). At some later point, in step 5, the cachemanager 22 stores the modified data back to the back-end file server 12,and notifies the secondary system (step 6) that it may discard the copyof the modified data in its own cache file system 26 (since the data isnow stored safely at the back-end server 12).

The token server 16 is the final arbiter of which cache appliance 14sare allowed to read or write which parts of cached files. In the case ofa TKS failure, a spare TKS should continue operation with areconstructed token database. This database should include everypersistent token granted to any client, but may include a number ofrevoked or returned tokens, since those extraneous tokens are harmlessand will be revoked on a conflict, anyway.

These constraints are satisfied by having a secondary TKS acting as ahot spare for each primary TKS operating in HA mode. The primary TKSgenerates a persistent log file consisting of a set of entries <tokenID, token client ID, token type, file handle, byte start, byte count>,where the token ID gives the unique token UUID associated with aparticular token instance, the token client ID identifies the CM 22instance obtaining the token, token type describes whether this is aread attribute, write attribute, read data or write data token (amongothers), file handle gives the file handle to which this token'sguarantees apply, and the byte start and byte count give, for datatokens, the range of bytes covered by the token.

To provide persistence, the token server 16 maintains two files ofactively granted tokens. As the token server 16 grants tokens, it logsthe state of each token, in the form described above, to the first logfile. As more space gets added to this first log file, the TKSsimultaneously reads the same amount of data from the second log file,which also contains a log of older token grants. For each token readfrom the second log file, the TKS checks its database to see if thetoken is still outstanding. If it isn't, then the token entry from thesecond log file is simply discarded. Otherwise, the token is appended tothe end of the first log file. Once the second log file is empty, thetoken server 16 switches the identities of the two log files andcontinues, now appending to the empty log file and discarding obsoleteentries from the full log file. If the token server 16 bounds the numberof outstanding tokens to a fixed number, then this log organizationguarantees that there are log files that are both bounded in size andcontain the set of all currently granted tokens.

When operating in HA mode, the primary TKS simply makes sure that itpasses all updates to the token log files to the secondary, whichmaintains its own copies of the log files to track the tokenspersistently. Then, after taking over for a failed primary, thesecondary TKS simply performs the processing that a primary TKS wouldafter a failure—it reloads the token state from the log files, creatingan in-memory version of the token database.

Note that this description is in terms of a single token server 16, butit should be clear that a system 10 can contain multiple token servers16, since tokens associated with different file handles have nointeractions. Thus, the system 10 can use a hash of a token's associatedfile handle, for example, to determine which token server 16 instance isactually managing the tokens for that file handle, and thus distributetoken management processing to an arbitrary number of token servers 16(TKSes).

An example is now provided with two cache appliances 14, A and B,accelerating the performance of back-end file server S. The example ofcreating a new file is first described, New, and filling that file withsome new data via cache appliance 14 A, and then writing an alreadyexisting file Exist via this same cache appliance 14 A. Next, a userconnected to cache appliance 14 B opens Exist and reads all of its datavia cache appliance 14 B.

First, a client sends an NFS create for New to cache appliance 14 A.This triggers a cm_create operation, which gets a write attribute and awrite data token on the directory containing New, invalidating anycached information about the parent directory on all other cacheappliances 14. The cm_create operation then calls the NC 20 module tosend an NFS create to back-end server S. Upon receipt of the response,the cache appliance 14 updates its DNLC, the CFS 26 file attribute cachefor the newly created file, and the CFS 26 file attribute cache for theupdated directory itself.

Next, cache appliance 14 A writes multiple blocks to New. The firstwrite operation begins by requesting a write data token for the chunkbeing updated, but the token server 16 will try to extend that token tothe entire file if that is possible without generating any additionaltoken revokes. Once the file's write attribute and write data tokenshave been obtained by cache appliance 14 A, the write operation cancontinue, updating the data in the CFS 26 file corresponding to New andmarking it as containing dirty data that should to be written back to S.The second and later writes all arrive at the cache appliance 14 afterit has obtained all of its desired tokens for New. Thus, these laterwrite operations simply update the existing cache file, marking the newblocks as dirty and updating appropriate file attributes locally foreach write, protected by the appliance's write attribute token for New.Note that as long as cache appliance 14 A holds a write data token onNew, it does not need to write the data back to the back-end file server12.

Continuing with this example, cache appliance 14 A now opens file Existby calling cm_lookup. The cm_lookup operation gets a read data token onExist's parent directory, and then consults the DNLC to see if Exist ispresent in the cache. If the DNLC entry exists along with a readattribute token for Exist, the CM 22 performs a cm_getattr operation toget the current attributes for Exist, and the open operation isessentially complete. If the entry does not exist in the DNLC, the cachemanager 22 calls the NC 20 module to send an NFS lookup for Exist to theback-end file server 12. Once this call completes, the appliance 14 hasthe file handle corresponding to Exist, and performs a cm_getattroperation to obtain Exist's current attributes, and complete the openoperation.

The application then sends a number of cm_write operations to theappliance 14. The first cm_write operation obtains write data tokens forthe target file, and in the absence of any other users accessing thefile, the write data token's range will be the entire file. Once thistoken has been obtained, the cm_write operation can simply copy theincoming data from the write operation request into the CFS 26 filetagged with the NFS file handle, and ensure that the file's length isupdated to include the last byte written, if the write extends the filelength. The succeeding write operations will function in the same way,except that they will find the write data token already in the tokenclient 24 (TKC) module.

Note that the CM 22 is not required at this point to write the updatedCFS 26 file back to the file server S.

Next, in the example, another cache appliance, B, has a client thatreads Exist. The appliance 14 begins with a cm_lookup operation thatwill do a cm_getattr call to get the file's current attributes. Theseattributes are still stored at appliance 14 A, protected by a writeattribute token. Thus, in order to grant a read attribute token to B,the token server 16 will revoke the conflicting write attribute tokenfrom A. At this point, A will do one of two things—it will either storethe updated attributes back to the back-end file server S, or it willcontact the TKS and request an owner attribute token for the file. Inthe first case, the write token is returned after writing the attributesto the back-end server 12, and appliance 14 B goes directly to the fileserver back-end to get the attributes for Exist. In the second case, Agives up its write token, which prevents it from making furthermodifications to Exist's attributes, but by getting an owner attributetoken, it now effectively advertises itself as owning the definitivecopy of the information (in this case, Exist's attributes). In thissecond case, appliance 14 B sends a c2c_getattr to appliance 14 A to geta copy of the file's attributes, and the attributes do not have to besent to the back-end file server 12 at all, reducing the load on theback-end file server 12.

Finally, after appliance 14 B opens the file, it then reads the datawritten earlier by appliance 14 A. Appliance 14 B reads the first blockby doing a cm_read, which attempts to get a read data token on the firstchunk of data in Exist. The TKS will attempt to revoke the write datatoken from appliance 14 A, offering appliance 14 A a new data writetoken with a byte range reduced to avoid conflicts. At this time,appliance 14 A will have several options. It may give up its entire datawrite token, and store all of the data back to file server S. It mayaccept the smaller write token, and store the data covered by the nowrevoked range back to file server S. And finally, it may take one of thepreceding actions, but instead of sending the data back to file serverS, it may keep the data locally and simply get an owner data token forthe revoked range. In the first two cases, appliance 14 B will read itsdata from the back-end file server 12, while in the last two cases,where ownership tokens are obtained for the updated data, appliance 14 Breads the data from appliance 14 A, using a c2c_read operation.

Under normal operation of this invention, NFS read and write operationsto the same file use read attribute and write attribute tokensrespectively. Certain workloads, however, generate a large number ofread and write operations to the same file, and every time that a writeattribute token is requested, all of the other attribute tokens shouldto be revoked, simply to update the subset of file attributes modifiedby write operations, specifically the modification time (mtime), changetime (ctime), and file length. The result of this approach is that everywrite operation is fully serialized with respect to every other read orwrite operation on the file, whether or not any of the same data bytesare affected, leading to a significant loss of potential concurrency.

In the case of significant write sharing within a single file, it wouldbe preferable to return responses to the cm_read or cm_write callsserialized as if a group of operations had all been executed together,to minimize the effort spent revoking and re-obtaining attribute tokensfor the data file.

To accomplish this, two additional types of attribute tokens aredefined, batch read attribute and batch write attribute tokens, givingthe following updated compatibility rules:

-   -   Read attribute—compatible with owner attribute, read attribute        and batch read attribute.    -   Write attribute—not compatible with any other attribute token.    -   Batch read attribute—compatible with read attribute, owner        attribute, batch read attribute, and batch write tokens        attribute.    -   Batch write attribute—compatible with owner attribute, batch        read attribute and batch write attribute tokens.    -   Owner attribute—compatible with read attribute, batch read        attribute, and batch write attribute tokens.

The behavior of cm_read as described above is modified to obtain a batchread attribute token instead of a normal read attribute token. Whileholding a batch read attribute token, the cache manager 22 obtains thefile attributes from the back-end file server 12 to complete a readrequest. The cache manager 22 can obtain these attributes in the sameway as described above, but because write attribute tokens may beoutstanding simultaneously, these attributes may be out of date. Thecache manager 22 thus bounds how long it will cache attributes under abatch read attribute token (illustratively to perhaps 100 milliseconds)so the returned attributes will not be significantly out of date, but sothat the back-end file server 12 will not have to be frequentlyconsulted, either.

The behavior of cm_write as described above is modified to obtain abatch write token if the write operation does not extend the file'slength. While holding a batch write token, the cache controller makes anNFS setattr call to the back-end file server 12, adjusting its mtime bya few hundred nanoseconds to obtain a range of mtime values, eachseparated by a single nanonsecond, that this cache manager 22 alone canhand out with cm_write responses during the next short interval(illustratively perhaps 100 ms). This allows the cache manager 22 tohand out unique mtime values for many write operations performed in thenear term future, while making a single call to obtain a batch writeattribute token, and a single call to the back-end file server 12 to geta range of mtime values to return with those write operations.

Note that even when using batch tokens, cm_read and cm_write stillobtain data read and data write tokens as described previously.

The benefit of using batch tokens is that multiple cache appliances 14can perform read and write operations to non-overlapping parts of asingle file (with each cache appliance 14 having a separate data writetoken synchronizing access to its own modified data), without needing tocommunicate with the TKS on every operation to get an updated read orwrite attribute token. By using a batch write attribute token instead,many read and write operations can run without communicating with theTKS at all.

The downside to using batch tokens is that since every cm_read orcm_write operation returns an old mtime value in its returned fileattributes (since the mtimes associated with batch tokens are alwaysolder than the current file's mtime), the data read from or written toclient caches when using batch tokens always appears to be stale to theNFS clients 20, and will be discarded by the NFS client 20 on the nextfile open. In practice, this tradeoff yields significant performancegains for applications involving heavy read/write data sharing, becausethe NFS client 20 caches are almost always invalid in environmentsinvolving heavy write sharing anyway.

Note that since data can't be cached as effectively when cm_read andcm_write use batch tokens, the TKS normally upgrades batch readattribute tokens to normal read tokens, and upgrades batch writeattribute tokens to normal write attribute tokens, when the target filedoes not appear to be write shared. Write sharing can be heuristicallydetermined by the token server 16 (TKS) by observing a relatively highnumber of write attribute token requests that trigger other tokenrevokes. For example, illustratively, the TKS might be configured toupgrade batch tokens to normal attribute tokens when the fraction ofbatch write tokens issued for a given file drops below 2% of the numberof the total attribute token obtain calls received over a period of 10seconds.

In the discussion above, when the CM 22 is to cache attributes or datafrom the back-end file server 12, it first obtains at least a read tokenfrom the TKS, and then obtains the actual attributes or data from theback-end server 12. The optimization described here allows thisinvention to perform cm_lookup and cm_getattr operations moreefficiently when a cache miss occurs by performing TKC 24 calls andback-end NFS calls operations concurrently.

Recall that when the CM 22 receives a cm_getattr call, it consults theCFS 26 to see if the file attributes are present, and checks with theTKC 24 to see if there are cached read attribute tokens for the filehandle. If both tests pass, the CM 22 completes the request immediately,without contacting either the TKS or the back-end file server 12.However, if the read attribute token is missing, the CM 22 should firstobtain the token, and then, after the CM 22 has a guarantee that nofurther updates to the file's attributes are possible, does the CM 22call the back-end file server 12.

The CM 22 should contact both the TKS and the back-end server 12 forthis operation, but the operation would have a significantly smallerlatency if the two calls could be made concurrently. However, attributesobtained before holding a read attribute or write attribute token may beincorrect if the attributes are actually obtained before the attributetoken, and an update is made by another cache appliance 14 in theinterval between obtaining the file attributes and the correspondingattribute token.

This race condition can be eliminated by having the TKS keep track of awrite token for a short period (called the “ghost” period, typically afew seconds) after the token has been revoked or returned, storingspecifically the time the token was last valid. Then, when returning anew token from the TKS to a token client 24, the TKS returns the minimumnumber of milliseconds ago that any write token was last held on thisfile, a value called the write token age. If the write token age is lessthan the ghost period, the TKS will actually have information in itstoken database giving this value. If the time is longer than the ghostperiod, the TKS is free to have discarded its data describing this filehandle, but it still can safely return the ghost period as a lower boundon the write token age. The cache appliance 14 makes use of the tokenage as follows: the cache appliance 14 handles a cm_getattr cache missby sending the TKC 24 call to get a read attribute token in parallelwith the NFS getattr to the back-end file server 12. When the TKC 24call completes, the CM 22 examines the write token age, and if thecompletion time of the NFS getattr call, minus the write token age, isless than the time at which the CM 22 first sent the NFS getattr call,then the CM 22 can safely use the results of the NFS getattr executedconcurrently with the TKS getTokens call, because the CM 22 knows thatthere were no updates to the file's attributes since before the start ofthe NFS getattr call. FIG. 6 shows the messages involved in thisscenario.

In FIG. 6, the standard case is shown where a file was updated arelatively long time in the past by cache appliance 14 B, followed by anew access to the file from cache appliance 14 A. In this case, at step1, cache appliance 14 B gets a write token, modifies the file attributeslocally, and then, at a later time in step 2 stores the updatedattributes back to the back-end file server 12, and then returns in step3 the write tokens to the TKS. Once the last write token has beenreturned for the file, the ghost token period commences for a fixedperiod (illustratively here 5 seconds), during which time the TKSpreserves state indicating the last time at which a write token was heldby any token client 24 for this file. At step 4, some time after theghost period expires, cache appliance 14 A, as part of handling anincoming cm_getattr call, sends two concurrent requests, one to the TKSto get a read attribute token on this file, and one to the back-end NFSserver to get the file attributes. Because the call to the TKS arrivesafter the expiration of the ghost period, the TKS's response to cacheappliance 14 A returns a write token age of 5 seconds (the ghost tokenperiod). Cache appliance 14 A then verifies that the time between theNFS getattr call was issued in step 4 and the time that the getTokenresponse was received was less than the write token age. In thisexample, this condition is verified, so cache appliance 14 A knows thatthere were no write tokens outstanding any time in the period betweenthe time that the back-end NFS getattr was executed, and the time thatthe read attribute token was actually granted, and thus, that cacheappliance 14 A can use the results from the NFS getattr as if it had aread attribute token from the start of the NFS getattr call.

In FIG. 7, the message flow in the relatively rare case where that racecondition is lost, and the first cache appliance 14 has to retry its NFSgetattr call is considered.

FIG. 7 shows a cm_getattr call on cache appliance 14 A running shortlyafter an update is made to the same file's attributes by cache appliance14 B. This is the rarely occurring exceptional case for ghost tokenprocessing, where cache appliance 14 A will to retry its NFS getattrcall to the back-end file server 12 in order to get the correct fileattributes. In step 1, cache appliance 14 B gets a write token from theTKS and then modifies the file's attributes locally. In steps 2 and 3,cache appliance 14 A, as part of handling a cm_getattr call for the samefile, optimistically concurrently sends a getToken call to the TKS,while sending an NFS getattr to the back-end file server 12. ThegetToken call triggers a revoke of cache appliance 14 B's writeattribute token (step 4), which is immediately followed by the storingback of the modified attributes to the back-end file server 12 (step 5).The write token is then returned to the TKS (step 6), which grants aread attribute token to cache appliance 14 A (step 7). Because the ghostperiod did not yet expire for the revoked write token, the TKS stillstored the exact write token age, at the time that, in step 7, itreceived cache appliance 14 A's getToken call. Thus the TKS returns awrite token age of 0 milliseconds along with the read attribute tokenreturned to cache appliance 14 A. Because this 0 ms period is shorterthan the time between the start of the NFS getattr call and the timethat the TKS getToken call completed, cache appliance 14 A knows thatthe NFS getattr call it executed may have executed while cache appliance14 B still held a write token, and thus, may have returned incorrectattributes. Thus, in step 8, cache appliance 14 A retries its NFSgetattr call to the back-end file server 12, this time while holding theread attribute token obtained in step 7, which ensures that theattributes can be safely used.

The same approach can be used for cm_lookup calls. If there is a DNLCcache miss on the name lookup performed locally by the CM 22 when doinga cm_lookup operation, then the CM 22 will perform an NFS lookupoperation to the back-end. This operation will return both the NFS filehandle for the target file as well as the attributes for the targetfile. Although the NFS lookup operation returned the target file'sattributes, it does so before the CM 22 has read attribute tokens on thefile, and before the CM 22 could even request tokens for the file, sinceuntil the lookup operation completes, the CM 22 does not even know thefile handle for which it desires tokens. Thus, naively, the CM 22 wouldhave to sequentially perform the NFS lookup operation to determine thetarget file handle, followed by a token manager getToken operation toget read attribute tokens for the target file, followed finally by anNFS getattr operation for the target file, most likely returning thesame attributes as were returned originally by the NFS lookup operation.

However, with the ghost period mechanism, the CM 22 can send an NFSlookup operation, and once that operation has completed, the CM 22 canobtain the read attribute tokens from the TKC 24. If the completion timefor the call to the TKC 24 to obtain a read attribute token, minus thewrite token age, is less than the time the initial NFS lookup operationwas sent, then the CM 22 knows that no modifications were made to thetarget file's attributes since before the NFS lookup call executed, andthus the CM 22 can use the file attributes returned by the NFS lookupcall, even though no tokens were held by the client at that time thoseattributes were returned.

Although the invention has been described in detail in the foregoingembodiments for the purpose of illustration, it is to be understood thatsuch detail is solely for that purpose and that variations can be madetherein by those skilled in the art without departing from the spiritand scope of the invention except as it may be described by thefollowing claims.

APPENDIX

Abbreviations

-   AFS—Andrew File System. A precursor to NFS built by a joint venture    of Carnegie Mellon University and IBM in the mid-1980s, it included    a great deal of support for caching file attributes and data at file    system clients.-   AFS/NFS Translator—a protocol translating server that acted as an    NFS server and AFS client, allowing NFS users to access data stored    on AFS file servers.-   Back-end file server—In this invention, the server storing the data    that is cached by this invention.-   C2C—Cache-to-cache communications module. In this invention, a    module that implements a simple interface allowing one cache    appliance to read and write data and attributes to another cache    appliance.-   CFS—Cache File System. In this invention, a simple file system    providing a flat name space tagging files by a simple string,    typically representing a file handle received from an external file    system protocol request.-   CIFS—Common Internet File System. In reality, a family of protocols    used by Windows PCs to access storage on a file server; this is the    former SMB, or Server Message Block, protocol, given an updated    name.-   CLID—CLient ID. A UUID identifying a particular cache appliance to    the token server.-   CM—Cache manager. In this invention, the module that receives file    system operations from the protocol modules, and executes them by    either reading or writing data in the cache, and/or performing    operations to the back-end file server.-   DFS—Distributed File System. A successor to AFS offered by IBM    Transarc Labs and the Open Software Foundation.-   DNLC—Dynamic Name Lookup Cache. A cache of directory contents.    Instead of simple file contents, entries in the DNLC quickly map a    directory file handle combined with a file name into the file handle    of the file having that name in that directory.-   EOF—End of file. An indication that an agent reading sequentially    through a file has reached the file's end.-   FFS—The Berkeley Fast File System. An early version of the Unix file    system, implemented at the University of California at Berkeley.-   FreeBSD—An freely licensed version of the Berkeley Standard    Distribution Unix operating system.-   IETF—Internet Engineering Task Force. The group that maintains    specifications for those protocols used on the Internet. The    specifications are available at ietf.org.-   HA—High Availability. Typically, indicates a configuration of a    multi-node server system with sufficient redundancy that at least    any single node can fail without any loss of data, or loss of access    to data, by any client.-   NAS—Network Attached Storage; typically data storage accessed via    the NFS or CIFS protocols over a network.-   NC—NFS Client.-   NFS—Network File System. A family of protocols used to access files    on a server from one or more clients on a connecting network. NFS    version 3 is the most commonly implemented version, and is described    by the Internet Engineering Task Force (IETF) in RFC 1813, which can    be obtained at ietf.org.-   NS—NFS Server.-   OpenSolaris—An partially open sourced version of Sun Microsystems'    Solaris operating system, providing state of the art implementations    of some interfaces and protocols, including NFS servers and clients,    and the vnode file system interface.-   RPC—Remote Procedure Call. A protocol, upon variants of which NFS    and AFS are both based, that provides a simple “call and response”    model for handling requests from a client to a server. A client    makes a call, and gets a response message when the results of the    call are ready.-   TKC—Token Client. The module that obtains synchronization tokens    from the token server, and keeps track of which tokens are currently    already held.-   TKCID—A UUID naming a specific token client instance.-   TKS—Token Server (or Token Manager). The module that grants    synchronization tokens to TKC modules within the cache appliance    cluster upon demand. The TKS ensures that no two conflicting tokens    are outstanding simultaneously by revoking outstanding tokens upon    receipt of a request for a conflicting token.-   UFS—Unix File System. A straightforward file system implementation    present in most Unix operating systems, and typically accessed via    the VNODE interface.-   UUID—Universal Unique IDentifier. A 128 bit value guaranteed to be    unique across all machines and all times.-   VNODE interface—An internal interface within an operating system    kernel to allow a network protocol such as NFS or AFS to access a    file system within that operating system without specific knowledge    of exactly which file system is being accessed.

The invention claimed is:
 1. A system for responding to a file systemprotocol request in regard to a back-end server comprising: a primarytoken server; a plurality of cache appliances in communication with thetoken server, each of which receives tokens from the token server tosynchronize access to data and attributes caches of the cache appliancesby revoking incompatible tokens when granting new tokens, and readingand writing data and attributes to the back-end server when tokens arerevoked, the cache appliance having persistent storage in which data andattributes are stored, and the token server having persistent storage inwhich tokens are stored and where the cache appliance maintains its owncopy of modified data and attributes, and stores them to the back-endfile server upon revocation of a write token, wherein the token serverproduces a write data token to write data to the back-end server by thecache appliance, and ensures that no two write data tokens are grantedover a single byte of any same file, wherein the token server produceswrite attribute tokens for files stored in the back-end server andensures that no two write attribute tokens are granted for the samefile, and wherein the token server revokes an already granted write dataor write attribute token by recalling the granted write data or writeattribute token if a new write data or write attribute token isrequested from the token server and is incompatible with the alreadygranted write attribute or write data token and when a write data orwrite attribute token is revoked, the cache appliance writes themodified version of the file's data or attributes to the back-end fileserver; and a hot spare token server to which the write data tokens andwrite attribute tokens are mirrored, the hot spare token server replacesthe primary token server if the primary token server fails and continuesoperation with a reconstructed token database, if the hot spare tokenserver replaces the primary token server, the hot spare server becomesthe primary token server and each write data token and write attributetoken that is mirrored in the hot spare token server is revoked in asame way as when a corresponding write data token or read data token isrevoked in the primary token server, the token server produces holdmodified tokens for the cache appliance for the file's attributes anddata, and data and attributes associated with the hold modified tokensare retrieved directly from the cache appliance having the hold modifiedtokens, the hold modified tokens identify the cache appliance having thehold modified tokens.
 2. A system as described in claim 1 includinganother cache appliance where modified data and modified attributes aremirrored and persistently stored.
 3. A system as described in claim 1wherein the token server produces read data tokens and read attributetokens that have a per token expiration time which allows them to beunilaterally revoked by the token server after the expiration time haspassed.
 4. A system as described in claim 1 where the token serverproduces batch tokens to reduce communication with the token server forshared files.
 5. A system as described in claim 1 wherein dual logs, ora circular log, is used to store tokens persistently at the tokenserver.
 6. A system as described in claim 1 wherein a token server ischosen by a function including a file handle as a parameter, which mapsthe file handle to a plurality of token servers, with a plurality oftoken servers in communication with the plurality of cache appliances.7. A method for responding to a file system protocol request in regardto a back-end server comprising the steps of: receiving tokens from aprimary token server in communication with a plurality of cacheappliances; synchronizing access to data caches and attributes caches ofthe cache appliances with the tokens by revoking incompatible tokenswhen granting new tokens; reading and writing file data and attributesin the caches of the cache appliances holding tokens; writing data inthe data caches and attributes in the attributes caches to a back-endserver when the tokens are revoked, the cache appliance havingpersistent storage in which the data and attributes are stored, and thetoken server having persistent storage in which tokens are stored;mirroring in a hot spare token server the write data tokens and writeattribute tokens, the hot spare token server replaces the primary tokenserver if the primary token server fails and continues operation with areconstructed token database, if the hot spare token server replaces theprimary token server, the hot spare server becomes the primary tokenserver and each write data token and write attribute token that ismirrored in the hot spare token server is revoked in a same way as whena corresponding write data token or read data token is revoked in theprimary token server; producing write attribute tokens by the tokenserver for files stored in the back-end server, the token serverensuring that no two write attribute tokens are granted for the samefile; the token server revoking an already granted write data or writeattribute token by recalling the granted write data or write attributetoken if a new write data or write attribute token is requested from thetoken server and is incompatible with the already granted writeattribute or write data token; and producing with the token serverownership tokens for the cache appliance for the file's attributes anddata to allow the cache appliance to read data from another cacheappliance.
 8. A method as described in claim 7 including the step of theproduction of a write data token by the token server for files stored inthe back-end server, the token server ensuring that no two write datatokens are granted over a single byte of any same file.
 9. A method asdescribed in claim 7 including the step of persistently storing inanother cache appliance modified data and modified attributessynchronously with respect to the incoming data update request.
 10. Amethod as described in claim 7 including the step of producing with thetoken server read data tokens and read attribute tokens that have a pertoken expiration time which allows them to be unilaterally revoked bythe token server after the expiration time has passed.
 11. A method asdescribed in claim 7 including the step of retrieving directly from thecache appliance data and attributes of files for which the cacheappliance holds an ownership token.
 12. A method as described in claim 7including the step of the token server producing a ghost tokenpersisting for a time period during which the token server indicates alast time in which a write data or attribute token was held for thefile.
 13. A method as described in claim 7 including the step of thetoken server producing batch tokens to reduce communication with thetoken server for shared files.
 14. A system for responding to a filesystem protocol request in regard to a back-end server comprising: aprimary token server; a plurality of cache appliances in communicationwith the token server, each of which receives tokens from the tokenserver to synchronize access to data and attributes caches of the cacheappliances by revoking incompatible tokens when granting new tokens, andreading and writing data and attributes to the back-end server whentokens are revoked, the cache appliance having persistent storage inwhich data and attributes are stored, and the token server havingpersistent storage in which tokens are stored and where the cacheappliance maintains its own copy of modified data and attributes, andstores them to the back-end file server upon revocation of a writetoken, wherein the token server produces a write data token to writedata to the back-end server by the cache appliance, and ensures that notwo write data tokens are granted over a single byte of any same file,wherein the token server produces write attribute tokens for tilesstored in the back-end server and ensures that no two write attributetokens are granted for the same file, and wherein the token serverrevokes an already granted write data or write attribute token byrecalling the granted write data or write attribute token if a new writedata or write attribute token is requested from the token server and isincompatible with the already granted write attribute or write datatoken and when a write data or write attribute token is revoked, thecache appliance writes the modified version of the file's data orattributes to the back-end file server; and a hot spare token server towhich the write data tokens and write attribute tokens are mirrored, thehot spare token server replaces the primary token server if the primarytoken server fails and continues operation with a reconstructed tokendatabase, if the hot spare token server replaces the primary tokenserver, the hot spare server becomes the primary token server and eachwrite data token and write attribute token that is mirrored in the hotspare token server is revoked in a same way as when a correspondingwrite data token or read data token is revoked in the primary tokenserver, the token server produces a ghost token persisting for a limitedtime period after revocation of an original token upon granting of a newtoken conflicting with the ghost token, an indication is returned to thenew token's owner, indicating that the new token would have conflictedwith the original token if the new token had been requested earlier,allowing the owner of the new token to act as if the new token had beenobtained earlier than it was requested.
 15. A method for responding to afile system protocol request in regard to a back-end server comprisingthe steps of: receiving tokens from a primary token server incommunication with a plurality of cache appliances; synchronizing accessto data caches and attributes caches of the cache appliances with thetokens by revoking incompatible tokens when granting new tokens; readingand writing file data and attributes in the caches of the cacheappliances holding tokens; writing data in the data caches andattributes in the attributes caches to a back-end server when the tokensare revoked, the cache appliance having persistent storage in which thedata and attributes are stored, and the token server having persistentstorage in which tokens are stored; mirroring in a hot spare tokenserver the write data tokens and write attribute tokens, the hot sparetoken server replaces the primary token server if the primary tokenserver fails and continues operation with a reconstructed tokendatabase, if the hot spare token server replaces the primary tokenserver, the hot spare server becomes the primary token server and eachwrite data token and write attribute token that is mirrored in the hotspare token server is revoked in a same way as when a correspondingwrite data token or read data token is revoked in the primary tokenserver; and choosing the token server by a function which includes afile handle as a parameter using hashing, which maps the file handle toa plurality of token servers.
 16. A method for responding to a filesystem protocol request in regard to a back-end server comprising thesteps of: receiving tokens from a primary token server in communicationwith a plurality of cache appliances; synchronizing access to datacaches and attributes caches of the cache appliances with the tokens byrevoking incompatible tokens when granting new tokens; reading andwriting file data and attributes in the caches of the cache appliancesholding tokens; writing data in the data caches and attributes in theattributes caches to a back-end server when the tokens are revoked, thecache appliance having persistent storage in which the data andattributes are stored, and the token server having persistent storage inwhich tokens are stored; mirroring in a hot spare token server the writedata tokens and write attribute tokens, the hot spare token serverreplaces the primary token server if the primary token server fails andcontinues operation with a reconstructed token database, if the hotspare token server replaces the primary token server, the hot spareserver becomes the primary token server and each write data token andwrite attribute token that is mirrored in the hot spare token server isrevoked in a same way as when a corresponding write data token or readdata token is revoked in the primary token server; and leasing the readdata tokens and read attribute tokens and automatically revoking themwhen their lease expires, which prevents read access to the data and theattributes associated with the read data tokens and read attributetokens.